[Snort-users] Ignore host

Kenneth G. Arnold bkarnold at ...8060...
Fri Apr 11 07:52:07 EDT 2003


It's my impression that [$HOME_NET,!10.195.1.195/32] would not solve your 
problem because $HOME_NET includes 10.195.1.195/32 and !10.195.1.195/32 
includes everything except the one IP address including everything on your 
$EXTERNAL_NET.  The two would be effectively added together to become 
"any".  I think the only way to accomplish what you want is to write a pass 
rule for this sid for every rule in porn.rules for this IP address.  Any 
one else have an opinion?

Ken


At 09:19 AM 4/11/03 -0500, David Scott wrote:
>I'm trying to ignore traffic from a particular host, but ONLY for a specific
>set of rules (PORN.RULES). I want to use the syntax
>
>alert tcp $EXTERNAL_NET $HTTP_PORTS -> [$HOME_NET,!10.195.1.195/32] any
>(msg:"PORN alt.binaries.pictures.erotica";
>content:"alt.binaries.pictures.erotica"; nocase; flags:A+; classtype:porn;
>sid:1836; rev:1;)
>
>Where I've added !10.195.1.195/32 to the standard $HOME_NET variable. Is
>this acceptable? Is this the most efficient way to do this?
>
>
>David Scott
>Memphis Technology Associates
>http://www.perimeterdefenses.com
>
>
>
>-------------------------------------------------------





More information about the Snort-users mailing list